This slide deck incorporates many concepts from the Quick reference guide, but also utilizes other OWASP resources.<br>

+

[https://www.owasp.org/images/b/ba/Web_Application_Development_Dos_and_Donts.ppt Web Application Development Dos and Donts - Presentation from the Royal Bank of Scotland]

Revision as of 22:56, 5 November 2013

Main

Welcome to the Secure Coding Practices Quick Reference Guide Project

The Secure Coding Practices Quick Reference Guide is a technology agnostic set of general software security coding practices, in a comprehensive checklist format, that can be integrated into the development lifecycle. At only 17 pages long, it is easy to read and digest.

The focus is on secure coding requirements, rather then on vulnerabilities and exploits. It includes an introduction to Software Security Principles and a glossary of key terms.

It is designed to serve as a secure coding kick-start tool and easy reference, to help development teams quickly understand secure coding practices.

Purpose: This document provides a quick high level reference for secure coding practices. It is technology agnostic and defines a set of general software security coding practices, in a checklist format, that can be integrated into the development lifecycle. Implementation of these practices will mitigate most common software vulnerabilities.

Sections of the guide were re-ordered, renamed and new sections were added to map more closely to the ASVS. However input and output handling was left at the beginning, as apposed to be lower in the list as it is with ASVS, since this is the source of the most common vulnerabilities and ones that effect even very simple applications.

Entirely new sections include:

Cryptographic Practices,

Error Handling and Logging".

The guide's "Data Validation" section was split to match ASVS and is now represented as two separate sections "Input Validation" and "Output Encoding",

The guide's "Authorization and Access Management" section was renamed to Access Control,

The guide's "Sensitive Information Storage or Transmission" section was split to match ASVS and is now two new sections "Data Protection" and "Communication Security",

Additional practices were added to most sections to account for requirements in ASVS that the guide did not specifically cover and some rewording of existing practices was also done.

Release description: The Secure Coding Practices Quick Reference Guide is a technology agnostic set of general software security coding practices, in a comprehensive checklist format, that can be integrated into the development lifecycle. At only 17 pages long, it is easy to read and digest. This release is the result of the changes introduced in the previous version (SCP v1) which were the consequence of the assessment process it was submitted to.